The scenarios in this series are fictional but grounded in real capabilities and documented risk patterns. They're designed to provoke discussion, not predict specific events.
Domain: Export Controls / Diversion Enforcement
Situation Briefing
At 02:47 EST on a Tuesday in late spring 2027, the first Chip Security Act server phones home from Tehran. The alert does not come from a customs officer, an informant, or a satellite image. It comes from the chip itself.
Twelve weeks earlier, 1,400 Blackwell B200 accelerators cleared U.S. customs for a licensed Singapore end user. The installation reports said the servers were racked in Jurong East. The telemetry says twenty-six server units are now failing location-match checks inside a Tehran data center, and the attestations are cryptographically clean.
That single alert turns export enforcement into doctrine. Public disclosure deters the next diversion but burns the first operational use of the telemetry system. Quiet enforcement preserves sources and methods but risks letting the first precedent become a rumor. Running the cluster as a collection source buys intelligence at the cost of political exposure.
The decision before BIS is not simply how to punish one diversion chain. It is how the United States wants the world to understand hardware that can report its own violation.
Decision Point
Option A: Public disclosure and sanctions. Name the diversion chain quickly and make the first case a deterrent. This owns the narrative but exposes the telemetry system's first live success.
Option B: Quiet enforcement. Use the chain-of-custody evidence to hit suppliers, freeze pending licenses, and preserve sources. This protects capability but delays the public deterrence the law was sold to deliver.
Option C: Run the cluster as a source. Keep watching the Tehran installation to map buyers, workloads, and support networks. This buys intelligence at the cost of explosive political exposure if leaked.
Option D: Escalate to the NSC immediately. Treat the first phone-home event as strategic signaling, not a BIS case. This aligns agencies early but risks turning an enforcement problem into a public crisis before the facts are fully exploited.
Complicating Factors
The law was sold as deterrence. If the first successful alert stays secret forever, Congress will ask whether the architecture protects enforcement capability more than it changes adversary behavior.
The supplier network is the target. The Iranian end user matters, but the Singapore, Hong Kong, and Dubai nodes are the repeatable infrastructure. Punishing only the end point wastes the signal.
The leak clock starts immediately. Chip manufacturers, NIST, BIS, State, and FFRDC analysts all touch the forensic record. If the government does not plan the public version, someone else will supply it.
Running the source changes the ethics of enforcement. Once the United States knowingly allows restricted compute to keep operating, the case is no longer only about a past violation. It is about an authorized decision to tolerate ongoing use.
Diagnostic: What Counts as Disclosure?
The doctrinal question underneath the four options is what disclosure actually means in the post-Chip-Security-Act regime. Disclosure is not binary. It has at least four dimensions: whether the U.S. publicly confirms a diversion occurred, whether it names the actors in the chain, whether it explains how the alert was generated, and whether it reveals the limits of the capability. Each dimension has a different cost. A response that gets one dimension right can fail badly on another. The exercise below asks you to weigh intelligence value against enforcement value for the four most relevant disclosure choices, and to watch how the answer shifts as the weight shifts. The Director will want this calculus on the back of her recommendation memo. It is the work that has to be in the response, not just the option.
Discussion Questions
What was the Chip Security Act for? If it was built for deterrence, disclosure has to come soon. If it was built for collection, Congress should have said so.
Who owns the first public word? BIS, State, Commerce, the chipmaker, and the Hill will all have versions. The first version will decide whether this is a triumph, a surveillance scandal, or a bureaucratic stumble.
How long can collection justify silence? A short exploitation window is defensible. An indefinite one turns enforcement into covert tolerance.
Anna's Read
The chip can tell the government where it is faster than the institution can decide what it means. That lag is the failure to manage.
This is not principally an Iran problem. The Iranian data center is the endpoint. The doctrine-setting question is how the United States handles a diversion chain once the controlled artifact becomes a witness.
My recommendation is B with elements of C: quiet enforcement now, a bounded six-week collection window, and a planned public action before the network hardens or the story leaks. The point is to exploit the first signal without letting secrecy become the doctrine.
Related Briefings
Anna R. Dudley writes on national security, AI policy, and the institutional structures absorbing the costs of AI deployment faster than they are being redesigned. Red Team Scenarios is the series for the call you don't want to take. Subscribe at annardudley.substack.com.